Bug 1152364 (CVE-2014-1582, CVE-2014-1584) - CVE-2014-1582 CVE-2014-1584 Mozilla: Key pinning bypasses (MFSA 2014-80)
Summary: CVE-2014-1582 CVE-2014-1584 Mozilla: Key pinning bypasses (MFSA 2014-80)
Alias: CVE-2014-1582, CVE-2014-1584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20141014,repor...
Depends On:
Blocks: 1144388
TreeView+ depends on / blocked
Reported: 2014-10-14 02:28 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-08 20:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-14 02:59:39 UTC

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2014-10-14 02:28:26 UTC
Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connection. This leads to possible man-in-the-middle attacks if an attacker has control of the DNS connection and the ability to obtain a fraudulent certificate that browsers would accept in the absence of the pin.

Mozilla security engineer David Keeler discovered that when there are specific problems verifying the issuer of an SSL certificate, the checks necessary for key pinning would not be run. As a result, the user is then presented with the "Untrusted Connection" error page, which they can use to bypass the key pinning process on a site that should be pinned. This error message is always shown to the user and cannot be used to silently bypass key pinning on affected sites.

Key pinning was first introduced in Firefox 32 and currently only covers a small number of built-in sites.

External Reference:



Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Patrick McManus and David Keeler as the original reporter.


This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.